Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardened systemd config #26

Open
juju4 opened this issue Oct 17, 2021 · 2 comments
Open

Hardened systemd config #26

juju4 opened this issue Oct 17, 2021 · 2 comments

Comments

@juju4
Copy link

juju4 commented Oct 17, 2021

As security tool, we want to ensure not adding more attack surface than what is prevented/detected.

From early testing, following is working on Ubuntu 18.04, 20.04 and Centos8 with few variations
https://github.com/juju4/ansible-sysmon/blob/master/templates/systemd-hardening.conf.j2
(jinja2 template)

{{ ansible_managed | comment }}
#
# /etc/systemd/system/sysmon.service.d/hardening.conf
#
[Service]
# Hardening
# Warning! Test to your context
NoNewPrivileges=yes
PrivateTmp=true
ProtectHome=true
ProtectSystem=true
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 21 %}
ProtectProc=noaccess
{% endif %}

PrivateDevices=yes
DeviceAllow=

PrivateUsers=false
DynamicUser=false

UMask=077

# ReadWritePaths=
#InaccessiblePaths=/proc
{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 7) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 18) %}
ProtectKernelTunables=true
ProtectKernelModules=yes
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 20) or
      (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int > 8 )
%}
ProtectKernelLogs=yes
ProtectHostname=yes
ProtectClock=yes
{% endif %}
ProtectControlGroups=true
LockPersonality=true
RestrictRealtime=true
RestrictNamespaces=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes

PrivateNetwork=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK AF_PACKET

IPAccounting=yes
IPAddressAllow=localhost link-local multicast 10.0.0.0/8 192.168.0.0/16
# IPAddressDeny=

AmbientCapabilities=CAP_BPF CAP_PERFMON
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCH
CapabilityBoundingSet=~CAP_SYS_RAWIO
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_DAC_* CAP_FOWNER CAP_IPC_OWNER
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_KILL
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST
CapabilityBoundingSet=~CAP_SYS_BOOT
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
CapabilityBoundingSet=~CAP_SYS_CHROOT
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
CapabilityBoundingSet=~CAP_LEASE
CapabilityBoundingSet=~CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
# CapabilityBoundingSet=~CAP_SYS_ADMIN
# CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE
# CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
# CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
# CapabilityBoundingSet=~CAP_NET_RAW
# CapabilityBoundingSet=~CAP_IPC_LOCK

{% endif %}
{% if not (ansible_virtualization_type is defined and
          (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")
        ) and
      not (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int < 8) %}
{% if (ansible_os_family == 'RedHat' and ansible_distribution_major_version|int >= 8) or (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 20) %}
SystemCallFilter=@system-service @debug @privileged
SystemCallFilter=~@mount @cpu-emulation @obsolete @resources @clock @swap @reboot @module
SystemCallArchitectures=native
# When system call is disallowed, return error code instead of killing process
SystemCallErrorNumber=EPERM
{% endif %}
{% endif %}

{% if sysmon_cgroups_restriction_enable|bool %}
CPUShares={{ sysmon_cgroups_cpushares | default('1024') }}
CPUQuota={{ sysmon_cgroups_cpuquota | default('10%') }}
MemoryLimit={{ sysmon_cgroups_memorylimit | default('1G') }}
{% endif %}
@kesheldr
Copy link
Contributor

kesheldr commented Nov 3, 2021

This is excellent. I will find time to examine it and then incorporate it - would you like to submit it as a PR?

juju4 added a commit to juju4/SysmonForLinux that referenced this issue Nov 6, 2021
@juju4
add systemd hardening options - microsoft#26
74cc396
@juju4
Copy link
Author

juju4 commented Nov 6, 2021

Done

@P4T12ICK P4T12ICK mentioned this issue Mar 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@juju4 @kesheldr